Entrada Solutions
WebAuthn
WebAuthn
Pavan Ranganath
August 7, 2023
7:15 pm

WebAuthn (Web Authentication) is a web standard that provides a secure and convenient method for authenticating users to web applications using public-key cryptography.  It aims to replace traditional password-based authentication with a stronger and more user-friendly method. It introduces a strong authentication mechanism that is resistant to various attacks, such as phishing and credential theft.

Registration Process:

  1. User Initiation: The user begins the registration process on a web application or service that supports WebAuthn.
  2. Authenticator Enrolment: The user selects an authenticator, such as a USB security key or a built-in biometric sensor. The authenticator generates a new public-private key pair specific to the relying party.
  3. Credential Storage: The server securely stores the user's credential, associating it with the user's account. The credential typically includes the user's account identifier and the public key generated by the authenticator.

Authentication Process:

  1. User Initiation: The user attempts to access the web application or service that requires authentication.
  2. Authenticator Discovery: The server requests the user's browser to identify the available authenticators.
  3. User Verification: The user selects the desired authenticator and performs a user-specific action to verify their identity. This action can vary depending on the type of authenticator used, such as providing a fingerprint, entering a PIN, or using facial recognition.
  4. Challenge Generation: The server generates a challenge specific to the authentication attempt. The challenge is sent to the selected authenticator.
  5. Cryptographic Signature: The authenticator signs the challenge using the private key associated with the previously registered credential. The private key remains securely within the authenticator and is never exposed to the server.
  6. Signature Verification: The server receives the signed challenge from the authenticator and verifies its authenticity. It uses the stored public key associated with the user's credential to verify the signature. If the signature is valid, the server considers the authentication successful.
  7. Access Granted: Upon successful verification, the server grants the user access to the requested web application or service.

The registration process establishes a unique credential for the user, while the authentication process confirms the user's identity by validating their possession of the registered credential. WebAuthn's reliance on public-key cryptography ensures secure and robust authentication while reducing the reliance on passwords and providing a more user-friendly experience.

 

Category : Authentication